Do I need to sanitize the user input Laravel

Question

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name;

I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input?

And, when I show the value in my view, shall I use {{$a}} or {{{$a}}}

In addition to the other answers, in case you decide to use something like new Something(Input::all()) make sure to specify the $fillable fields in the Something model, in order to protect against mass assignment. Not strictly pertaining to your questions, but something to be aware of. — Yasen Slavov, Oct 05 '14 at 13:03

score 18 · Accepted Answer · edited Mar 28 '23 at 12:54

18

Eloquent ORM uses PDO's parameter binding, so SQL injection is not something you should worry about. When you're working with raw SQL, you should be using parameter binding as well.

Input::get() does not filter anything.

Double curly braces (triple in the discontinued versions) do the same as e() and HTML::entities(). All of them call htmlspecialchars with UTF-8 support:

htmlspecialchars($your_string, ENT_QUOTES, 'UTF-8', false);

edited Mar 28 '23 at 12:54

Your Common Sense

156,878
40
214
345

answered Oct 05 '14 at 12:52

cha-cha

328
3
13

If I use {{{ to show it, should I use also htmlentities when saving the information? – cruster946 Oct 05 '14 at 13:08
3

Escape output, not input. – cha-cha Oct 05 '14 at 13:20
2

There's no need to alter data unless you actually use it. Filter input, escape output. – cha-cha Oct 05 '14 at 13:30
It should be pointed out that Laravel provides raw sql query support which isn't protected from injection at all. So there is always the chance that someone may build a site with some raw queries that do need manual cleaning. – AdamJones Feb 11 '20 at 13:33

Marcin Nabiałek · Answer 2 · 2014-10-05T13:08:55.247

5

You should use {{{$a}}} because for example Input can has HTML tag. Laravel won't filter it.

To avoid SQL injection you should use bind your parameters running queries like:

$var = 1;
$results = DB::select('select * from users where id = ?', array($var));

and not:

$results = DB::select('select * from users where id = '.$var);

edited Oct 05 '14 at 13:08

answered Oct 05 '14 at 12:47

Marcin Nabiałek

109,655
42
258
291

So I should use htmlentities or something like that? What does Input::get filter? – cruster946 Oct 05 '14 at 12:49
@Fylux So far as I know it's interface to getting POST, GET and so on data. It trims data but doesn't filter it, so when displaying you should use triple bracing - this way `htmlentities` function is run on variable value – Marcin Nabiałek Oct 05 '14 at 13:05
If I use {{{ to show it, should I use also htmlentities when saving the information? – cruster946 Oct 05 '14 at 13:07
@Fylux No, using `{{{` Laravel will do it for you – Marcin Nabiałek Oct 05 '14 at 13:07
But is there any problem if I have a corrupted input saved in my db? – cruster946 Oct 05 '14 at 13:08
@Fylux what do you mean? Always there might be some problem and running htmlentities or {{{ in theory should solve this problem – Marcin Nabiałek Oct 05 '14 at 13:10
I mean, if would be better to do both things, use htmlentities and {{{ – cruster946 Oct 05 '14 at 13:13
And about you comment, I guess I won't have problem with binding parameters because I use Eloquent. – cruster946 Oct 05 '14 at 13:15
Don't use `DB::select(...)`. Better use models `User::find($id)`. – PiTheNumber Apr 13 '23 at 11:38

score -1 · Answer 3 · answered Mar 28 '23 at 12:37

-1

This returns sanitized string enclosed within quotes for safe use in a SQL query:

$safe_string = DB::connection()->getPdo()->quote($unsafe_string);

answered Mar 28 '23 at 12:37

Ilyich

4,966
3
39
27

Not a single reason to use this function – Your Common Sense Mar 28 '23 at 12:50

Do I need to sanitize the user input Laravel

3 Answers3